Mirrors/hacktricks
2
0
Fork 0
mirror of https://github.com/carlospolop/hacktricks synced 2024-11-24 21:53:54 +00:00
Code Issues Projects Releases Packages Wiki Activity

GITBOOK-4367: No subject

Browse source
This commit is contained in:
CPol 2024-07-17 11:11:22 +00:00 committed by gitbook-bot
parent e5d1cbc2f2
commit f9c3facea3
No known key found for this signature in database
GPG key ID: 07D2180C7B12D0FF
4 changed files with 32 additions and 8 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

1
network-services-pentesting/pentesting-web/graphql.md
View file

@ -510,6 +510,7 @@ query isValidDiscount($code: Int) {
### Vulnerability scanners
* [https://github.com/dolevf/graphql-cop](https://github.com/dolevf/graphql-cop): Test common misconfigurations of graphql endpoints
* [https://github.com/assetnote/batchql](https://github.com/assetnote/batchql): GraphQL security auditing script with a focus on performing batch GraphQL queries and mutations.
* [https://github.com/dolevf/graphw00f](https://github.com/dolevf/graphw00f): Fingerprint the graphql being used
* [https://github.com/gsmith257-cyber/GraphCrawler](https://github.com/gsmith257-cyber/GraphCrawler): Toolkit that can be used to grab schemas and search for sensitive data, test authorization, brute force schemas, and find paths to a given type.
* [https://blog.doyensec.com/2020/03/26/graphql-scanner.html](https://blog.doyensec.com/2020/03/26/graphql-scanner.html): Can be used as standalone or [Burp extension](https://github.com/doyensec/inql).

8
network-services-pentesting/pentesting-web/php-tricks-esp/README.md
View file

@ -229,6 +229,14 @@ In the following scenario the **attacker made the server throw some big errors**
![](<../../../.gitbook/assets/image (1085).png>)
## SSRF in PHP functions
Check ther page:
{% content-ref url="php-ssrf.md" %}
[php-ssrf.md](php-ssrf.md)
{% endcontent-ref %}
## Code execution
**system("ls");**\

19
network-services-pentesting/pentesting-web/php-tricks-esp/php-ssrf.md
View file

@ -16,7 +16,7 @@ Other ways to support HackTricks:
**Try Hard Security Group**
<figure><img src="/.gitbook/assets/telegram-cloud-document-1-5159108904864449420.jpg" alt=""><figcaption></figcaption></figure>
<figure><img src="../../../.gitbook/assets/telegram-cloud-document-1-5159108904864449420.jpg" alt=""><figcaption></figcaption></figure>
{% embed url="https://discord.gg/tryhardsecurity" %}
@ -33,6 +33,20 @@ file("http://127.0.0.1:8081");
md5_file("http://127.0.0.1:8081");
```
### Wordpress SSRF via DNS Rebinding
As [**explained in this blog post**](https://patchstack.com/articles/exploring-the-unpatched-wordpress-ssrf), even the Wordpress function **`wp_safe_remote_get`** is vulnerable to DNS rebinding, making it potentially vulnerable to SSRF attacks. The main validation it calls is **wp\_http\_validate\_ur**l, which checks that the protocol is `http://` or `https://` and that the port is one of **80**, **443**, and **8080**, but it's **vulnerable to DNS rebinding**.
Other vulnerable functions according to the post are:
* `wp_safe_remote_request()`
* `wp_safe_remote_post()`
* `wp_safe_remote_head()`
* `WP_REST_URL_Details_Controller::get_remote_url()`
* `download_url()`
* `wp_remote_fopen()`
* `WP_oEmbed::discover()`
### CRLF
Moreover, in some cases it might be even possible to send arbitrary headers via CRLF "vulnerabilities" in the previous functions:
@ -76,11 +90,10 @@ $file = file_get_contents($url, false, $context);
**Try Hard Security Group**
<figure><img src="/.gitbook/assets/telegram-cloud-document-1-5159108904864449420.jpg" alt=""><figcaption></figcaption></figure>
<figure><img src="../../../.gitbook/assets/telegram-cloud-document-1-5159108904864449420.jpg" alt=""><figcaption></figcaption></figure>
{% embed url="https://discord.gg/tryhardsecurity" %}
<details>
<summary><strong>Learn AWS hacking from zero to hero with</strong> <a href="https://training.hacktricks.xyz/courses/arte"><strong>htARTE (HackTricks AWS Red Team Expert)</strong></a><strong>!</strong></summary>

12
pentesting-web/ssrf-server-side-request-forgery/README.md
View file

@ -3,7 +3,7 @@
<figure><img src="../../.gitbook/assets/image (48).png" alt=""><figcaption></figcaption></figure>
\
Use [**Trickest**](https://trickest.com/?utm_source=hacktricks&utm_medium=text&utm_campaign=ppc&utm_term=trickest&utm_content=ssrf-server-side-request-forgery) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\
Use [**Trickest**](https://trickest.com/?utm\_source=hacktricks\&utm\_medium=text\&utm\_campaign=ppc\&utm\_term=trickest\&utm\_content=ssrf-server-side-request-forgery) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\
Get Access Today:
{% embed url="https://trickest.com/?utm_source=hacktricks&utm_medium=banner&utm_campaign=ppc&utm_content=ssrf-server-side-request-forgery" %}
@ -127,7 +127,7 @@ https://example.com/?q=http://evil.com/redirect.php.
```
{% endcode %}
#### Gopher MongoDB -- Create user with username=admin with password=admin123 and with permission=administrator
#### Gopher MongoDB -- Create user with username=admin with password=admin123 and with permission=administrator
```bash
# Check: https://brycec.me/posts/dicectf_2023_challenges#unfinished
@ -179,6 +179,8 @@ Create several sessions and try to download heavy files exploiting the SSRF from
## SSRF PHP Functions
Check the following page for vulnerable PHP and even Wordpress functions:
{% content-ref url="../../network-services-pentesting/pentesting-web/php-tricks-esp/php-ssrf.md" %}
[php-ssrf.md](../../network-services-pentesting/pentesting-web/php-tricks-esp/php-ssrf.md)
{% endcontent-ref %}
@ -220,7 +222,7 @@ if __name__ == "__main__":
<figure><img src="../../.gitbook/assets/image (48).png" alt=""><figcaption></figcaption></figure>
\
Use [**Trickest**](https://trickest.com/?utm_source=hacktricks&utm_medium=text&utm_campaign=ppc&utm_term=trickest&utm_content=ssrf-server-side-request-forgery) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\
Use [**Trickest**](https://trickest.com/?utm\_source=hacktricks\&utm\_medium=text\&utm\_campaign=ppc\&utm\_term=trickest\&utm\_content=ssrf-server-side-request-forgery) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\
Get Access Today:
{% embed url="https://trickest.com/?utm_source=hacktricks&utm_medium=banner&utm_campaign=ppc&utm_content=ssrf-server-side-request-forgery" %}
@ -268,7 +270,7 @@ Vulnerable code:
<figure><img src="../../.gitbook/assets/image (1201).png" alt=""><figcaption></figcaption></figure>
It was discovered that It's possible to **start the path** of a request with character **`;`** which allows to use then **`@`** and inject a new host to access. Attack request:
It was discovered that It's possible to **start the path** of a request with character **`;`** which allows to use then **`@`** and inject a new host to access. Attack request:
```http
GET ;@evil.com/url HTTP/1.1
@ -423,7 +425,7 @@ Other ways to support HackTricks:
<figure><img src="../../.gitbook/assets/image (48).png" alt=""><figcaption></figcaption></figure>
\
Use [**Trickest**](https://trickest.com/?utm_source=hacktricks&utm_medium=text&utm_campaign=ppc&utm_term=trickest&utm_content=ssrf-server-side-request-forgery) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\
Use [**Trickest**](https://trickest.com/?utm\_source=hacktricks\&utm\_medium=text\&utm\_campaign=ppc\&utm\_term=trickest\&utm\_content=ssrf-server-side-request-forgery) to easily build and **automate workflows** powered by the world's **most advanced** community tools.\
Get Access Today:
{% embed url="https://trickest.com/?utm_source=hacktricks&utm_medium=banner&utm_campaign=ppc&utm_content=ssrf-server-side-request-forgery" %}